Ignore unknown sources rules macros

test/falco_tests_plugins.yaml

@@ -103,4 +103,20 @@ trace_files: !mux
       - Cloudtrail Create Instance
     stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
 
+  no_plugins_unknown_source_macro:
+    detect: False
+    rules_file:
+      - rules/plugins/cloudtrail_macro.yaml
+    trace_file: trace_files/empty.scap
+    stderr_contains: "Macro Some Cloudtrail Macro: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
+
+  no_plugins_unknown_source_rule_exception:
+    detect: False
+    rules_file:
+      - rules/plugins/cloudtrail_create_instances_exceptions.yaml
+    trace_file: trace_files/empty.scap
+    rules_warning:
+      - Cloudtrail Create Instance
+    stderr_contains: "Rule Cloudtrail Create Instance: warning .unknown-source.: unknown source aws_cloudtrail, skipping"
+
 

test/rules/plugins/cloudtrail_create_instances_exceptions.yaml

@@ -0,0 +1,9 @@
+- rule: Cloudtrail Create Instance
+  desc: Detect Creating an EC2 Instance
+  condition: evt.num > 0 and ct.name="StartInstances"
+  output: EC2 Instance Created (evtnum=%evt.num info=%evt.plugininfo id=%ct.id user name=%json.value[/userIdentity/userName])
+  exceptions:
+  - name: user_secreid
+    fields: [aws.user, aws.region]
+  priority: INFO
+  source: aws_cloudtrail

test/rules/plugins/cloudtrail_macro.yaml

@@ -0,0 +1,4 @@
+- macro: Some Cloudtrail Macro
+  condition: aws.user=bob
+  source: aws_cloudtrail
+

userspace/engine/lua/rule_loader.lua

@@ -460,6 +460,14 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
+	 valid = falco_rules.is_source_valid(rules_mgr, v['source'])
+
+	 if valid == false then
+	    msg = "Macro "..v['macro']..": warning (unknown-source): unknown source "..v['source']..", skipping"
+	    warnings[#warnings + 1] = msg
+	    goto next_object
+	 end
+
 	 if state.macros_by_name[v['macro']] == nil then
 	    state.ordered_macro_names[#state.ordered_macro_names+1] = v['macro']
 	 end
@@ -542,6 +550,14 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 
+	 valid = falco_rules.is_source_valid(rules_mgr, v['source'])
+
+	 if valid == false then
+	    msg = "Rule "..v['rule']..": warning (unknown-source): unknown source "..v['source']..", skipping"
+	    warnings[#warnings + 1] = msg
+	    goto next_object
+	 end
+
 	 -- Add an empty exceptions property to the rule if not defined
 	 if v['exceptions'] == nil then
 	    v['exceptions'] = {}
@@ -735,6 +751,8 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
 	 warnings[#warnings + 1] = arr[1]
       end
+
+      ::next_object::
    end
 
    return true, {}, warnings
@@ -1008,14 +1026,6 @@ function load_rules(rules_content,
 
       if (filter_ast.type == "Rule") then
 
-	 valid = falco_rules.is_source_valid(rules_mgr, v['source'])
-
-	 if valid == false then
-	    msg = "Rule "..v['rule']..": warning (unknown-source): unknown source "..v['source']..", skipping"
-	    warnings[#warnings + 1] = msg
-	    goto next_rule
-	 end
-
 	 state.n_rules = state.n_rules + 1
 
 	 state.rules_by_idx[state.n_rules] = v